NETSTOCK’s customers enjoy the following security:
1. Transit security
All data transferred from the on-premise ERP system to our Comms servers are compressed. This data is then sent via the Secure FTP protocol. This data is encrypted in-transit via session keys and symmetric encryption. The software on the ERP system is authenticated on the Comms server using the customer’s unique public key. The private key is never shared.
The same process then happens to forward the information from the Comms server to the appropriate cloud App server.
For more information about data transmission, see the ERP Connector guide.
2. Data centre security
NETSTOCK only makes use of secure, reputable hosting providers. We only make use of data centres with the following minimum security features:
Digital security camera system monitors all entries, hallways, and all areas of the lobby and colocation cabinet areas.
Entry to the colocation areas requires an access card key.
Redundant industrial HVAC units (air conditioners) environmentally control the air temperature and relative humidity in the Colocation Facilities. Cabinets are arranged in alternating hot and cold aisles, with cold air flowing from overhead ducts into the cold aisles, flowing through the cabinets, and exhausting into the warm aisles.
Power, PDUs and Conditioning
Clean, conditioned power is delivered through Power Distribution Units (at least one for each row of cabinets). Each cabinet is individually breakered, so even if one customer has a power issue, other cabinets should not be affected.
Uninterruptible Power Supplies
PDUs are connected to Uninterruptible Power Supplies, which have enough battery power to keep systems running until the generator starts delivering power. All systems undergo regular preventative maintenance.
Power Generators and Fuel
Multiple generators automatically start when outside power is lost, and begin delivering full electric power to the facility within seconds. There should be enough fuel on hand for several days of generator operation at full load, and contracts with local fuel suppliers to promptly replenish when necessary.
NETSTOCK makes use of two data centre providers:
Our customers’ data are hosted at the following data centres:
- North America
- Linode – Newark, NJ
- Linode – Fremont, CA
- Linode – Atlanta, GA
- Linode – Dallas, TX
- Africa and Europe
- Linode – London, UK
- Hetzner – Nuremberg, DE
- Hetzner – Falkenstein, DE
- Australia and New Zealand
- Linode – Tokyo, JP
- Hetzner – Nuremberg, DE
- Hetzner – Falkenstein, DE
3. Storage security
All our servers run an open source software stack:
Our servers are all behind firewalls with strict rules allowing only the following traffic:
- www – port 80/tcp
- https – port 443/tcp
- ssh/sftp – port 22/tcp
Back-end logins into our servers can only happen with RSA keys, and not via passwords. This means that personnel of NETSTOCK’s access to our back-end servers can be revoked at any time
Our servers are protected from brute-force attacks by automatically banning anyone with 3 failed login attempts for an hour. This happens at the firewall level.
All the OS and application software are patched daily for any security vulnerabilities.
4. Data isolation
Every customer’s data is completely isolated from every other customer’s data, by using a seperate Database to store their data in.
Similarly, every customer accesses the NETSTOCK service using a unique URL for that customer. A user’s login credentials can never work on another customer’s instance of NETSTOCK.
All data on all servers are backed up every 24 hours. Full backups are retained for 14 days. Any customer’s data can be restored, and depending on the size of the customer’s data the restore will take up to 4 hours to complete.
In case of a catastrophic server failure, new VPSes are spinned up, and customer data restored. The longest a customer will be without a working NETSTOCK system is 48 hours. Typically it’s less than 8 hours.
Backups are stored in a geographic separate data centre, so that a data centre disaster doesn’t affect both the operational servers and the backup servers.
As NETSTOCK is not a mission-critical system, we do not offer automatic fail-over to stand-by servers. This also keeps the monthly cost down for our customers.
6. Web security
All access to a customer’s instance of NETSTOCK goes over the https protocol. Our SSL certificates are signed by trusted CAs. All requests to our web app are protected against Cross-Site Request Forgery.
This means that Man-In-The-Middle attacks are exceedingly difficult to perform. No-one can read our customers’ information whilst in-transit to and from our web servers.
All sessions are automatically logged out after a period of non-use, helping to guard against unauthorised usage of a logged-in system.
Only password hashes are stored in our databases. So even if the password hashes were obtained, they cannot be used to log into NETSTOCK.
7. Data retention
In the case that a customer cancels their NETSTOCK subscription, we retain an archive of the customer’s data for three months. This allows for an easier re-instatement of the service, if requested. After three months the data will be deleted forever, even from our backup servers. A full dump of a customer’s data is available upon request in the three month period.